Tag open-source

since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute them

suzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT

Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.

Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT

It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏

Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

This is the kind of shit open-source maintainers and visible community members deal with _constantly_. I spend a lot of my time teaching people about Kubernetes and ops stuff, possibly too much time. But I do it on my terms. Maintainers don't owe you training.

Noah Kantrowitz (@kantrn)Wed, 01 Dec 2021 21:20 GMT

So you want for fork Electron. This is not for the faint of heart, but I will tell you what you need to do.

Jacob 🌎💧🍁☀️ (@0x606)Wed, 24 Nov 2021 17:59 GMT

Sometimes you go from creator to maintainer to user. This is a valid path and is a healthy one.

Jaana Dogan ヤナ ドガン (@rakyll)Mon, 08 Nov 2021 20:53 GMT

A quick definition of Open-Source

Fabien Potencier (@fabpot)Thu, 04 Nov 2021 08:26 GMT

https://twitter.com/adamhjk/status/1456647709092311043

Want it to be open source? Great! Go for it. Want it to have all the upsides of open source, and none of the side effects that might make you uncomfortable? Get the fuck right out of town with that. The upside of being open should come with the potential for others to benefit.

Adam Jacob (@adamhjk)Fri, 05 Nov 2021 15:40 GMT

I don’t think people realise just how prevalent this sort of thing is… We get them to the Django board all the time too. We’re all volunteers, and it can take a toll. twitter.com/mikemcquaid/st…

Post details

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Aaron Bassett - 🥑🪐 (@aaronbassett)Wed, 27 Oct 2021 13:45 +0000

Still blows my mind how people increasingly think the answer to their OSS problems is to harass and abuse the maintainers (aka who can fix their problems). The abuse gets exponentially worse towards non white/cis/men maintainers. This is the “normal”. OSS is broken. twitter.com/mikemcquaid/st…

Post details

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Emily Kager (@EmilyKager)Wed, 27 Oct 2021 18:30 +0000

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Thanks to @JamieTanna for stepping up up as a @jenkinsci JobDSL plugin maintainer! And kudos to @daspilker for leading it for almost ten years 🙇 JobDSL is one of the well documented and stable plugins and it is also essential for the configuration as code ecosystem in Jenkins

Post details

https://twitter.com/martaarcones/status/1433095090621362181

Just to update on this - I'm a maintainer now, it's been released as 1.78 this morning, and I'll see over the coming weeks if there's anything other high-priority to ship 🚀 (jvt.me/mf2/2021/10/jy…)

Jamie Tanna | www.jvt.me (@JamieTanna)Wed, 27 Oct 2021 09:54 +0000

Oleg Nenashev (@oleg_nenashev)Wed, 27 Oct 2021 10:11 +0000

https://twitter.com/mjasay/status/1452334102020071431

GitHub isn't Open Source, and it's acquisition by Microsoft was not proof of their commitment to Open Source as a movement. There are other things that indicate a meaningful change in respect of the movement. ASOP is an "Open Source Project" in name and software license only.

Matthew S. Wilson (msw) (@_msw_)Sun, 24 Oct 2021 18:15 +0000

Every open source maintainer upon realizing tomorrow is October…

Devon Govett (@devongovett)Fri, 01 Oct 2021 03:02 +0000

Using this

🧗‍♂️ Matt Holt (@mholt6)Fri, 01 Oct 2021 05:54 +0000

An open source project either dies young as a hero or lives long enough to be horribly mismanaged into the ground by a group of big egos with misaligned incentives.

Jamon 🚜 (@jamonholmgren)Thu, 30 Sep 2021 17:02 +0000

https://twitter.com/jenkinsci/status/1434192692414595073

Thanks to the entire Jenkins Infra Team for their evening&weekend work to get it fixed as soon as possible! 🙇

Oleg Nenashev (@oleg_nenashev)Sat, 04 Sep 2021 16:55 +0000

https://twitter.com/rawkode/status/1422216687424872452

I am not sure whether Daniel has any bandwidth these days. Last 1.5 have been pretty complicated to anyone, and we need more maintainers in @jenkinsci . Any contributions like reviews and testing would be appreciated, and maybe even adopting the plugin. jenkins.io/doc/developer/…

Oleg Nenashev (@oleg_nenashev)Mon, 02 Aug 2021 15:26 +0000

I ♥ contributing to Open Source. Signing a CLA gives me a sense of pride and accomplishment!

Terence Eden (@edent)Mon, 29 Jul 2019 17:51 +0000

Last several months were rough, but I am finally able to contribute to the projects again. Thanks to all relatives, colleagues and friends for their support! // burnout...

Oleg Nenashev (@oleg_nenashev)Tue, 30 Mar 2021 08:00 +0000

It is... curious to see GitHub listed as a type of #OpenSource software in the State of Open UK Phase 2 report. Yes, git is OSS, but GitHub very much is not.

julia ferraioli (@juliaferraioli)Fri, 09 Jul 2021 20:42 +0000

If your AI processes AGPL licensed source code and thereby incorporates it, is your AI code required to be released to the public? Roll 3d6 and hire that many lawyers.

Post details

Anybody else wandering how "machine learning" laundering of copywritten works is going to hold up in court? twitter.com/dmofengineerin…

'jamin (@acdimalev)Thu, 08 Jul 2021 18:58 +0000

DM of Engineering (@dmofengineering)Thu, 08 Jul 2021 19:19 +0000

The maintainer of an audacity fork was PHYSICALLY STABBED by a 4channer after they doxxed him and his family over a naming poll for the new fork: github.com/tenacityteam/t… But again of course nothing will happen because everyone is too chickenshit to take down this cesspool

Katharina 🍉 »Free Palestine« 🇵🇸 Fey (@spacekookie)Wed, 07 Jul 2021 09:50 +0000

In case it's not clear what's happening here: @github's Copilot "autocompletes" the fast inverse square root implementation from Quake III — which is GPL2+ code. It then autocompletes a BSD2 license comment (with the wrong copyright holder). This is fine.

Post details

I don't want to say anything but that's not the right license Mr Copilot.

Armin Ronacher (@mitsuhiko)Fri, 02 Jul 2021 09:01 +0000

Stefan Karpinski (@StefanKarpinski)Fri, 02 Jul 2021 14:38 +0000

I'd just like to interject for a moment. What you're referring to as Copilot, is in fact, GNU/Copilot, or as I've recently taken to calling it, GNU code trained Copilot. Copilot is not an AI system unto itself, but rather a proprietary component that launders GNU code

Post details

https://twitter.com/pfctdayelise/status/1410063455273377793

"Once, GitHub Copilot suggested starting an empty file with something it had even seen more than a whopping 700,000 different times during training -- that was the GNU General Public License." docs.github.com/en/github/copi…

eevee (@eevee)Wed, 30 Jun 2021 02:49 +0000

Ian Coldwater 📦💥 (@IanColdwater)Thu, 01 Jul 2021 12:25 +0000